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Why GAO Did This Study 

The American Recovery and 
Reinvestment Act of 2009 (Recovery 
Act) requires recipients to report, 
among other things, project 
descriptions on Recovery.gov, the 
federal Recovery Act Web site. Within 
the Department of Homeland 
Security, the Federal Emergency 
Management Agency's (FEMA) Grant 
Programs Directorate administers the 
Port Security Grant Program (PSGP) 
to strengthen ports against risks from 
terrorist attacks. FEMA received and 
obligated $150 million in Recovery 
Act PSGP funds in 2009, and, as of 
September 2010, recipients have 
drawn down over $10 million. To 
facilitate recipient reporting, FEMA 
must consider the need both for 
transparency and for protection of 
Sensitive Security Information (SSI), 
which could be detrimental to 
transportation security if disclosed. 
As requested, GAO assessed FEMA's: 
(1) controls to ensure Recovery Act 
PSGP staff consistently follow SSI 
policies, and (2) steps to ensure 
PSGP recipients have not disclosed 
SSI on Recovery.gov. GAO reviewed 
relevant laws, regulations, guidance, 
and a random sample of PSGP 
Recovery Act recipient reports 
available as of February 2010, and 
interviewed agency officials. 

What GAO Recommends 

GAO recommends that FEMA 
improve SSI training, ensure proper 
marking of SSI, enhance recipient 
report review controls, and instruct 
recipients on safeguarding SSI while 
reporting on funded activities and 
expected outcomes in a transparent 
manner. FEMA concurred. 
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at (202) 512-9627 or maurerd@gao.gov. 



What GAO Found 

FEMA has taken steps to ensure Recovery Act PSGP staff consistently follow 
the Department of Homeland Security's SSI policies and processes, but key 
actions have not been taken. For instance, FEMA has appointed an SSI 
Program Manager — responsible for FEMA-wide SSI oversight — and an SSI 
Coordinator to facilitate the Grant Programs Directorate's use of SSI. Also, the 
SSI Program Manager provided SSI training to FEMA's Grant Programs 
Directorate staff; however, the training did not include FEMA-specific 
examples to illustrate the application of SSI, which the staff requested. GAO 
has previously reported that, when assessing training, managers should 
consider whether the training includes both the theoretical basis of the 
material — such as context and principles — and the practical application of the 
issues. Including FEMA-specific examples could help FEMA ensure Recovery 
Act PSGP staff have the necessary knowledge to handle and safeguard SSI. In 
addition, the SSI Coordinator has not assessed whether SSI documents have 
been appropriately labeled, in accordance with SSI regulations. For example, 
FEMA has determined that certain materials grant recipients submit to FEMA 
during the application process to describe how their projects will address 
current gaps and deficiencies are SSI, but has not marked them as such. 
While these documents have not been posted to Recovery.gov, immediately 
reviewing and marking them as SSI could improve safeguards and help 
prevent the information contained therein from inadvertent disclosure. 



FEMA has taken steps to develop a quarterly review process for Recovery Act 
PSGP recipient reports — prior to their public release on Recovery.gov — but 
does not have key controls to help prevent public disclosure of SSI. For 
instance, FEMA staff drafted a procedure for reviewing recipient reports, but 
FEMA management has not approved it and the draft does not include a 
procedure to verify the reviews' accuracy. Further, while GAO found that SSI 
had not been disclosed in Recovery Act recipient reports posted on 
Recovery.gov for the single reporting period GAO reviewed — with data 
publicly available as of February 2010 — FEMA lacks a process for comparing 
recipient reports to SSI criteria, and a protocol that informs recipients when 
FEMA determines that their reports contain SSI. Introducing these measures 
could help Grant Programs Directorate staff consistently review reports, 
identify when they contain SSI, reduce the risk of SSI disclosure on 
Recovery.gov, and reinforce recipients' obligations to safeguard SSI. In 
addition, GAO found wide variation in the level of detail about the awards' 
descriptions among the recipient reports sampled from Recovery.gov as of 
February 2010, although the majority provided minimal detail. According to 
FEMA, the sensitive nature of PSGP information affects the transparency of 
PSGP recipient reporting. By providing instruction to recipients on what 
should and should not be reported due to SSI requirements, FEMA could help 
recipients report project details in a transparent manner on the expenditure of 
Recovery Act funds while protecting information that could otherwise 
jeopardize transportation security if released. 
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A GAP 

— Accountability * Integrity * Reliability 



United States Government Accountability Office 
Washington, DC 20548 



October 15, 2010 

The Honorable Mitch McConnell 
Republican Leader 
United States Senate 

Dear Senator McConnell: 

The American Recovery and Reinvestment Act of 2009 (Recovery Act) 
provided $150 million to the Department of Homeland Security's (DHS) 
Port Security Grant Program (PSGP) for awards to states, localities, and 
private port operators to strengthen the nation's ports against risks 
associated with potential terrorist attacks. 1 To promote transparency and 
accountability, the Recovery Act includes a requirement that recipients 
report quarterly on a number of measures, such as a description of the 
projects funded, 2 and that these reports be made available to the public 
through Recovery.gov, the government's Recovery Act Web site. 3 

The transparency that is envisioned for tracking Recovery Act spending 
and results is an extensive undertaking for the federal government. Both 
Congress and the President have emphasized the need for accountability, 
efficiency, and transparency in the expenditure of Recovery Act funds and 
have made it a central principle of the act. However, tracking billions of 
dollars that are being disbursed to thousands of recipients is an enormous 
effort. The administration expects that achieving this degree of visibility 
will be iterative, whereby both the reporting process and the information 
recipients provide improve over time and, if successful, could be a model 
for transparency and oversight beyond the Recovery Act. 

To implement Recovery Act reporting requirements, the Office of 
Management and Budget (OMB) provides guidance to federal agencies for 
overseeing recipients' Recovery Act quarterly reporting, which includes a 
requirement that agencies review the overall data quality of recipient 
reports before they are posted on Recovery.gov. While the Recovery Act 
does not specifically define transparency, OMB's guidance states that 



^ub. L. No. 111-5, 123 Stat. 115, 164 (2009). 
Recovery Act, div. A, title XV, § 1512, 123 Stat. 287-88. 
3 Id. at §§ 1523(b)(4), 1526. 



Page 1 



GAO-11-88 FEMA Recovery Act Reporting 



recipients' narrative information, such as their award descriptions, must 
be sufficiently clear to facilitate understanding by the general public of 
how Recovery Act funds are being used. 

In addition, OMB directs federal agencies to consider both transparency as 
well as national security concerns, when applicable, when reviewing 
recipients' quarterly reports in preparation for posting on Recovery.gov. 4 
Among other agencies, this directive applies to DHS' Federal Emergency 
Management Agency (FEMA), which operates the Recovery Act PSGP. On 
the one hand, FEMA must help ensure that award and project descriptions 
publicly available on Recovery.gov explain how recipients are using PSGP 
funds in order to promote transparency. On the other hand, FEMA is 
responsible for helping to ensure that specific information about the ports' 
existing vulnerabilities, such as the absence of security systems, is 
safeguarded and not publicly disclosed on Recovery.gov. This is 
particularly important since the disclosure of such information — some of 
which stems from grant recipient documents that contain Sensitive 
Security Information (SSI) — could compromise national security. 5 

In response to your request regarding the federal role in reporting on the 
use of Recovery Act funds and the extent to which recipients transparently 
report on their activities, we issued a report in May 2010 on the extent to 
which descriptions of awards found on Recovery.gov fostered a basic 
understanding of award activities and expected outcomes. 6 This report 
provided information on the level of transparency in reporting on 
Recovery.gov for federal agencies administering 11 Recovery Act 
programs including broadband, energy, transportation, infrastructure, and 
civil works. Our assessment of transparency on Recovery.gov included a 
review of the transparency of award descriptions on Recovery.gov for 



4 This guidance provides that, "in general, if a question arises about whether to provide 
public disclosure of information, agencies should promote transparency to the maximum 
extent practicable when consistent with national security interests." OMB, Memorandum 
for the Heads of Departments and Agencies: Initial Implementing Guidance for the 
American Recovery and Reinvestment Act of 2009, M-09-10 (Washington, D.C.: February 
2009). 

°Under federal regulations, SSI is, in general, information obtained or developed in the 
conduct of security activities, including research and development, the disclosure of which 
the Transportation Security Administration (TSA) has determined would, among other 
things, be detrimental to the security of transportation. See 49 C.F.R. § 1520.5. 

6 GAO, Recovery Act: Increasing the Public's Understanding of What Funds Are Being 
Spent on and What Outcomes Are Expected, GAO-10-581 (Washington, D.C.: May 27, 2010). 
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FEMA's Recovery Act PSGP. The Recovery Act PSGP recipient reports 
varied widely in level of detail — as we will discuss later in this report — 
because FEMA lacked a process for considering both the need to report 
on funded activities and expected outcomes in a transparent manner and 
the need to safeguard SSI in recipient reports. Therefore, as agreed with 
your office, this report focuses on FEMA's efforts to safeguard sensitive 
information associated with its Recovery Act port security awards. 
Specifically, it addresses: (1) the extent to which FEMA has implemented 
management controls to ensure that DHS' SSI policies and processes are 
consistently followed when administering the Recovery Act PSGP, and (2) 
the steps that FEMA has taken to ensure that sensitive information has not 
been publicly disclosed by PSGP recipients on Recovery.gov. 

To conduct our work, we reviewed relevant laws, regulations, and DHS 
guidance on SSI to determine the extent to which FEMA has adopted DHS 
management controls to apply applicable safeguards to SSI contained in 
PSGP grant materials. 7 We also attended a new SSI training course on July 
12, 2010, that FEMA provided to its staff to observe the applicability of 
course material to FEMA grant managers. In addition, we reviewed 
FEMA's draft standard operating procedure for reviewing Recovery Act 
recipient reports prior to their release on Recovery.gov and compared it 
with Standards for Internal Control in the Federal Government and DHS' 
guidance for safeguarding SSI to determine the steps FEMA has taken to 
help prevent public disclosure of sensitive Recovery Act PSGP grantee 
details. 8 We complemented this review by interviewing FEMA and DHS 
officials with responsibility for ensuring a reasonable degree of quality 
across PSGP recipient reports, as laid out in OMB's Recovery Act 
reporting guidance. 



7 Pub. L. No. 111-5, 123 Stat. 115 (2009). 49 C.F.R. Part 1520. DHS, Sensitive Security 
Information (SSI), Management Directive 11056.1 (Washington, D.C.: November 2006). 

8 GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 
(Washington, D.C.: November 2009). Internal control is an integral component of an 
organization's management that provides reasonable assurance that the following 
objectives are being achieved: effectiveness and efficiency of operations, reliability of 
financial reporting, and compliance with applicable laws and regulations. These standards, 
issued pursuant to the requirements of the Federal Managers' Financial Integrity Act of 
1982 (FMFIA), provide the overall framework for establishing and maintaining internal 
control in the federal government. Also pursuant to FMFIA, the Office of Management and 
Budget issued Circular A-123, revised December 21, 2004, to provide the specific 
requirements for assessing the reporting on internal controls. Internal control standards 
and the definition of internal control in Circular A-123 are based on the GAO Standards for 
Internal Control in the Federal Government. 
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In addition, we reviewed existing Recovery Act guidance from OMB to 
determine the extent to which instructions are available to agencies on 
handling sensitive information from grant recipients and reviewed 
documentation of FEMA's contact with recipients after reviewing their 
reports to assess the extent to which FEMA consistently attempted to 
prevent disclosure of protected information. 9 We also selected a 
representative probability (random) sample of 61 out of the total 214 PSGP 
recipient reports available on Recovery.gov as of February, 2010, and 
reviewed the level of detail they provided. We also spoke with DHS 
officials responsible for assessing whether or not documents contain SSI 
to determine the extent to which recipient award descriptions available on 
Recovery.gov could reveal vulnerabilities at the ports and potentially 
jeopardize port security. 10 

Finally, we interviewed a nonprobability sample of 6 of the 61 randomly 
sampled Recovery Act PSGP recipients to determine the extent to which 
FEMA had provided recipients with information related to safeguarding 
sensitive details when submitting Recovery Act reports. We selected the 6 
recipients based on diversity in geographical location; PSGP award size; 
level of detail included in quarterly report submission provided to FEMA; 
and whether the recipient made changes to its entries following FEMA's 
review. Our interviews provided us with an understanding of recipients' 
experience in balancing transparency and the safeguarding of SSI in 
reporting information for ultimate posting on Recovery.gov. However, 



OMB, Memorandum for the Heads of Departments and Agencies: Initial Implementing 
Guidance for the American Recovery and Reinvestment Act of 2009, M-09-10 
(Washington, D.C.: February 2009). OMB, Memorandum for the Heads of Departments 
and Agencies: Updated Implementing Guidance for the American Recovery and 
Reinvestment Act of 2009, M-09-15 (Washington, D.C.: April 2009). OMB, Memorandum 
for the Heads of Departments and Agencies: Implementing Guidance for the Reports on 
Use of Funds Pursuant to the American Recovery and Reinvestment Act of 2009, M-09-21 
(Washington, D.C.: June 2009). OMB, Memorandum for the Heads of Departments and 
Agencies: Updated Guidance on the American Recovery and Reinvestment Act - Data 
Quality, Non-Reporting Recipients, and Reporting of Job Estimates, M-10-08 
(Washington, D.C.: December 2009). OMB, Memorandum for the Heads of Departments 
and Agencies: Updated Guidance for the American Recovery and Reinvestment Act, M-10- 
14 (Washington, D.C.: March 2010). 

10 While there are 218 total Recovery Act PSGP recipients, we found 214 Recovery Act PSGP 
recipient reports available on Recovery.gov as of February 10, 2010, when we took our 
sample. According to FEMA officials, reports from 2 of the remaining 4 recipients were not 
available at the time we took our sample because the recipients had experienced problems 
entering information in certain fields in Recovery.gov, and the other 2 recipients likely had 
similar problems. 
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because we used a nonprobability sample, the results cannot be 
generalized to all Recovery Act PSGP recipients. 

We conducted this performance audit from June 2010 through October 
2010 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit to 
obtain sufficient, appropriate evidence to provide a reasonable basis for 
our findings and conclusions based on our audit objectives. We believe 
that the evidence obtained provides a reasonable basis for our findings 
and conclusions based on our audit objectives. 



Background 



Port Security Grant The Recovery Act Port Security Grant Program (PSGP) is based on the 

Program Priorities and existing PSGP, which was first established under the Maritime 

Management Transportation Security Act of 2002 (MTSA). 11 Since 2007, FEMA has been 

operating the PSGP to provide grant funding to port areas for the 
protection of critical port infrastructure from terrorism. 12 When the 
Recovery Act was enacted in February 2009, it provided an additional $150 
million while preserving the funding priorities of the existing PSGP, which 
emphasize prevention and response to threats against the nation's 
seaports, including weapons of mass destruction. 13 FEMA had obligated all 
$150 million of its Recovery Act PSGP funds as of September 29, 2009. As 
of September 3, 2010, 64 of the 218 PSGP recipients had drawn down 
funds, for a total of $10,002,461. 

The Recovery Act PSGP also placed additional priority on cost-effective 
projects that can be started quickly and stimulate the economy through 
jobs creation. PSGP recipients, such as owners and operators of MTSA- 



u Pub. L. No. 107-295, 116 Stat. 2064, 2075-79 (2002). 

12 Prior to 2007, the PSGP was operated by a number of offices within the Department of 
Transportation and DHS. 

"These are (1) enhancing "maritime domain awareness," which involves enhancements to 
intelligence sharing and analysis amongst law enforcement and government leaders; (2) 
enhancing prevention, protection, response, and recovery to improvised explosive devices 
and weapons of mass destruction; (3) supporting implementation of DHS' Transportation 
Worker Identification Credential (TWIC) program; and (4) completing construction or 
infrastructure improvement projects that align with existing port and vessel risk 
management and security plans. 
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regulated vessel and facilities, can use their 3 year grants for, among other 
things, equipment purchases, such as acquiring security cameras and 
security gates to strengthen access controls, as well as card readers and 
other infrastructure necessary to implement DHS' Transportation Worker 
Identification Credential (TWIC) program. 14 

FEMA's Grant Programs Directorate (GPD) is the central unit for grants 
management at FEMA and within DHS, both FEMA's GPD and the U.S. 
Coast Guard (Coast Guard) are involved in managing the Recovery Act 
PSGP. 15 FEMA (1) has the lead in creating selection criteria for use in the 
application review process, (2) administers the Recovery Act PSGP, (3) 
provides outreach and support to applicants about program requirements, 
and (4) manages the Recovery Act PSGP to ensure compliance with 
federal grant management requirements. In addition, FEMA assigned all 
Recovery Act PSGP recipients a FEMA program analyst to serve as the 
recipient's "one-stop" account manager, who would meet with the 
recipient as needed and coordinate with other agencies to support the 
recipient. The Coast Guard has the lead in setting port security priorities 
associated with Recovery Act PSGP award selection criteria. These 
priorities are emphasized in the Recovery Act PSGP application process, 
which requires eligible port areas and ferry systems to provide, among 
other things, an investment justification describing how the proposed 
project will help address gaps and deficiencies in current programs and 
capabilities, the length of time needed to begin and complete the project, 
and the number of jobs the project would create. 



Access controls can include security measures such as pedestrian and vehicle gates, 
keypad access codes that use personal identification numbers, magnetic stripe cards and 
readers, fingerprint readers, or other biometric technology, turnstiles, locks and keys, and 
security personnel. In general, under the TWIC program, maritime workers who require 
unescorted access to secure areas of MTSA-regulated port facilities and vessels must 
obtain a biometric TWIC credential to access such secure areas to help ensure appropriate 
security checks of such personnel. 

15 GPD was formally created on April 1, 2007, pursuant to the Post-Katrina Emergency 
Management Reform Act of 2006 (Pub. L. No. 109-295, 120 Stat. 1355, 1394 (2006)). GPD 
consolidated the grant business operations, systems, training, policy, and oversight of all 
FEMA grants and the program management of the suite of preparedness grants. 
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DHS' Policy for SSI DHS Management Directive 11056.1 establishes the department's policy 

regarding the recognition, identification, and safeguarding of SSI. 16 In 
addition to requiring certain actions by specified agencies such as 
Immigration and Customs Enforcement, Customs and Border Protection, 
and the Coast Guard, the directive provides that other DHS component 
heads not specifically identified — where appropriate based on the extent 
of use of SSI — should appoint an official to serve as the component's SSI 
Program Manager, who is to be responsible for, among other things, 
developing component-specific SSI identification and procedural guidance 
as necessary, and conducting self-inspections of the component for the 
effective management and practical application of SSI, and consistent and 
appropriate application and use of SSI at least once every 18 months. 

In addition, the directive states that those other component heads not 
specifically identified in the directive, where appropriate, should appoint 
at least one employee in each office that generates or accesses SSI to 
serve as SSI Coordinator and have the authority to make determinations 
on behalf of DHS that records generated by this office are appropriately 
marked SSI. Further, among other responsibilities, the SSI Coordinator is 
to conduct annual self-inspections of the office for the effective 
management and practical application of SSI, and consistent and 
appropriate application and use of SSI, as well as ensure that office 
personnel who access SSI receive training. 

FEMA considers the narratives within PSGP recipients' investment 
justifications to be SSI, the disclosure of which could compromise national 
security, because information found in the investment justifications could 
reveal current vulnerabilities and present opportunities for potential 
terrorist threats. Therefore, FEMA does not permit the investment 
justifications to be publicly released. In addition, under federal SSI 
regulations, both FEMA's grants management staff and PSGP recipients 
are considered to be "covered persons" because, among other things, they 



In 2005, we reported that TSA lacked policies, procedures, and internal controls related to 
the identification and safeguarding of SSI. Following our report, DHS issued Management 
Directive 11056 in December 2005. See GAO, Transportation Security Administration: 
Clear Policies and Oversight Needed for Designation of Sensitive Security Information, 
GAO-05-677 (Washington, D.C.: June 2005). We also reported that DHS issued a revised 
management directive, Management Directive 11056.1, to address legislative requirements 
in the DHS Appropriations Act of 2007 and our 2005 recommendations. See GAO, 
Transportation Security Administration's Processes for Designating and Releasing 
Sensitive Security Information, GAO-08-232R (Washington, D.C.: November 2007). 
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access SSI contained in the investment justifications. 17 Covered persons' 
responsibilities include, among others, taking reasonable steps to 
safeguard SSI in their possession or control from unauthorized disclosure, 
regardless of medium, and marking information as SSI. 18 



Recovery Act Recipient To promote transparency and accountability, the Recovery Act requires 

Reporting Process recipients of Recovery Act funds, such as PSGP recipients, to report each 

calendar quarter on the use of funds, and further requires that this 
reporting continue for every quarter in which the recipient receives 
Recovery Act funds from the federal government. Specifically, these 
reports collect numerical information, such as the amount of funds 
obligated — or committed for payment — as well as narrative details, such 
as a description of the activity funded at the port. 19 To implement Recovery 
Act reporting requirements, OMB has worked with the Recovery 
Accountability and Transparency Board (Recovery Board) to deploy a 
nationwide data collection system at Federalreporting.gov. 20 



The regulatory definition of "covered person" includes, for example, DHS, each person 
who has access to SSI, owners and operators of MTSA-regulated vessels and facilities, and 
each person employed by, or contracted to, or acting for a covered person, including a 
grantee of DHS. See 49 C.F.R. § 1520.7. In general, under SSI regulations, access to SSI is to 
be provided only to those covered persons with a need to know. The regulations establish 
the circumstances under which a person has a need to know SSI, such as when a person 
requires access to specific SSI to carry out transportation security activities approved, 
accepted, funded, recommended, or directed by DHS or the Department of Transportation. 

18 To mark paper information as SSI, a covered person must place a protective marking — 
SENSITIVE SECURITY INFORMATION— conspicuously at the top of the outside of the 
front and back cover, the title page, and each page of the document. In addition, the 
covered person must also include a distribution limitation statement at the bottom of each 
page. The distribution limitation statement is: "WARNING: This record contains Sensitive 
Security Information that is controlled under 49 CFR parts 15 and 1520. No part of this 
record may be disclosed to persons without a 'need to know,' as defined in 49 CFR parts 15 
and 1520, except with the written permission of the Administrator of the Transportation 
Security Administration or the Secretary of Transportation. Unauthorized release may 
result in civil penalty or other action. For U.S. government agencies, public disclosure is 
governed by 5 U.S.C. 552 and 49 CFR parts 15 and 1520." 

19 The required field "Award Description" asks recipients to describe in narrative form "the 
overall purpose, expected outputs, and outcomes or results of the award, including 
significant deliverables and, if appropriate, units of measure." See GAO 10-581. 

20 The Recovery Act created the Recovery Accountability and Transparency Board, which is 
composed of 12 Inspectors General from various federal agencies, who serve with a 
chairman of the board. 
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OMB set specific time lines for recipients to submit reports and for 
agencies to review the data using this site. Specifically, recipients are 
required to prepare, enter, and validate their information by the tenth day 
following the end of a quarter, after which federal agencies perform data 
quality reviews, in accordance with OMB guidance, to identify material 
omissions and significant reporting errors, and notify recipients of the 
need to make appropriate and timely changes to erroneous reports. 21 
Recipients have the ultimate responsibility for responding to the agency's 
data quality reviews and then submitting the final data for posting on 
Recovery.gov, as illustrated in figure 1. Recovery.gov was designed to 
provide transparency of information related to spending on Recovery Act 
programs and is the public's official source of information related to the 
Recovery Act. 

As a federal agency administering Recovery Act funds, FEMA is 
responsible for adhering to OMB guidance and Recovery Act requirements 
and GPD has the lead for executing these responsibilities for the Recovery 
Act PSGP. In addition, DHS officials responsible for agencywide Recovery 
Act implementation also review recipient quarterly reports, checking data 
fields, such as award numbers, for accuracy, and informing GPD staff of 
noncompletion. 



Material omissions are defined as instances where required data are not reported or 
reported information is not otherwise responsive to the data requests resulting in a 
significant risk that the public is not fully informed as to the status of a Recovery Act 
project or activity. Significant reporting errors are defined as those instances where 
required data are not reported and such erroneous reporting results in significant risks that 
the public will be misled or confused by the recipient report in question. 
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Figure 1 : FEMA's Recipient Review Process for Recovery Act PSGP 





Recovery Act Port Security Grant Program (PSGP) recipients 




Source: GAO. 



FEMA Has Taken 
Steps to Implement 
DHS' SSI Policies in 
Administering the 
Recovery Act PSGP, 
but Further Actions 
Could Improve 
Consistency 



FEMA has taken recent steps to adhere to DHS' Management Directive 
when administering the PSGP, such as appointing officials with direct 
responsibility for SSI; however, FEMA has not yet established or put in 
place all of the management controls, or taken all the actions, called for in 
the directive. For example, in January 2010, FEMA appointed its first SSI 
Program Manager, and in July 2010 — during the course of our review — 
GPD appointed an SSI Coordinator. Nevertheless, GPD's SSI Coordinator 
has not assessed the extent to which SSI documents, including Recovery 
Act PSGP investment justifications, have been marked appropriately, or 
instilled practices to ensure that GPD personnel who access SSI receive 
appropriate training, as required by DHS' directive. 
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FEMA has appointed an SSI Program Manager, GPD has appointed an SSI 
Coordinator, and both individuals are taking steps to adhere to DHS' 
Management Directive, issued in 2005. 

FEMA has appointed an SSI Program Manager. FEMA appointed its 
first SSI Program Manager in January 2010, and this individual has 
developed a standard operating procedure that, in accordance with DHS' 
2005 Management Directive, establishes FEMA's protocols for recognizing, 
identifying, and safeguarding SSI. According to the SSI Program Manager, 
the standard operating procedure was reviewed by Transportation 
Security Administration (TSA) and Coast Guard officials, and approved by 
officials in FEMA's Office of Security before distribution to FEMA staff in 
mid-August. The SSI Program Manager also reported that he is planning to 
develop an SSI Instruction Guide for FEMA GPD in November 2010 that 
will identify the types of information in grant documents handled by 
FEMA GPD staff that should and should not be marked and treated as SSI. 
According to the SSI Program Manager, this guide will be completed in 
collaboration with FEMA GPD, TSA, and the Coast Guard, and will be 
applicable to FEMA GPD staff, contractors, and grantees. Further, the SSI 
Program Manager reported to us that he is developing a self-inspection 
program based on an SSI evaluation program that the Coast Guard 
currently uses. This will fulfill the Management Directive's instruction to 
conduct self-inspections for effective management, and consistent and 
appropriate application and use of SSI, at least once every 18 months. 22 He 
expects to conduct FEMA's self-inspection in December 2010. 

In addition, in response to our questions regarding the extent of SSI 
training offered to GPD staff, the Program Manager provided training to 
FEMA's GPD staff in mid July on identifying, handing, and safeguarding 
SSI. We observed this training, and noted that it explained the difference 
between SSI and classified information, defined the 16 categories of SSI in 
the SSI regulations, and provided guidance regarding how to handle SSI. 

FEMA's GPD has appointed an SSI Coordinator. During the course of 
our review, and in response to our questions regarding the status of GPD's 
efforts to appoint an SSI Coordinator within GPD, the GPD Assistant 
Administrator appointed GPD's Director of Internal Controls and Risk 
Management to be GPD's first SSI Coordinator on July 8, 2010. The SSI 



BUS, Sensitive Security Information (SSI), Management Directive 11056.1. (Washington, 
D.C.: November 2006). 
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FEMA Has Taken Some 
Steps to Adhere to DHS' 
SSI Policies and 
Procedures 



Coordinator told us that she informed all GPD staff of the SSI Program 
Manager's July SSI training and encouraged GPD personnel who access or 
generate SSI to attend. Further, according to the SSI Coordinator, she and 
her staff will reach out to ensure that the remaining staff who have not yet 
received training attend one of the upcoming training sessions that the SSI 
Program Manager is offering throughout the fall of 2010. In addition, the 
SSI Coordinator told us that, once staff are trained, she plans to identify 
and reach out to supervisors in GPD branches who will have responsibility 
for staff managing SSI within their units to discuss and delineate their 
unit's SSI responsibilities, including determining whether documents in 
their office are appropriately marked SSI, and reporting back to her. 

Further, the SSI Coordinator told us that she plans to issue a bulletin or 
memorandum to GPD staff and grantees to provide additional information 
beyond that discussed in the initial SSI training, such as GPD staff 
members' specific roles in identifying and handling SSI and the relevance 
of SSI to GPD grants. Before writing the bulletin, the SSI Coordinator 
reported that she planned to talk to GPD staff — including Recovery Act 
PSGP program officials, as well as the official responsible for reviewing 
Recovery Act PSGP recipient reports — to determine the process being 
used for handling recipient information and reporting, and what 
information related to SSI these officials need. According to the SSI 
Coordinator, she has drafted the bulletin but plans to make revisions 
before issuing it to GPD staff and grantees later this fall. Additionally, the 
SSI Coordinator told us she will — while conducting training and working 
with GPD staff responsible for SSI in their branches — assume 
responsibility for conducting GPD's annual self-inspection, in accordance 
with DHS' 2005 Management Directive. According to FEMA's SSI Program 
Manager, he and the SSI Coordinator will jointly complete a self-inspection 
of FEMA GPD in December 2010 to identify to the SSI Coordinator what 
the self-inspection program should entail. 



Additional Actions Could 
Help FEMA Better Ensure 
That DHS' SSI Policies Are 
Consistently Followed 



FEMA has established some management controls outlined in DHS' 
Management Directive to help ensure that its staff are better able to 
appropriately identify and handle SSI, but it has not yet taken all the 
actions or fully established all the management controls included in the 
directive. 



Marking of SSI: The SSI Coordinator told us that with respect to 
Management Directive-required oversight of SSI within GPD, she has not 
made any determinations as to whether SSI documents are appropriately 
marked. While FEMA considers all PSGP investment justifications to be 
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SSI, our analysis showed that not all Recovery Act PSGP investment 
justifications — documents recipients submit to FEMA when applying for 
the grant and that FEMA keeps on file — have been marked as such, 
pursuant to SSI regulations. Specifically, our sample review of six 
Recovery Act PSGP investment justifications showed that none of the 
materials were marked as SSI, as required by SSI regulations. According to 
one Recovery Act PSGP official, while the investment justifications are not 
labeled SSI, GPD staff convey the sensitive nature of the documents to the 
covered parties involved. 

The SSI Coordinator told us that supervisors she designates throughout 
GPD will be responsible for reviewing their unit's grant file documents to 
determine if they are marked appropriately and report the results to her 
after these supervisors receive SSI training. However — while FEMA does 
not publicly release the investment justifications, such as on 
Recovery.gov — some of the Recovery Act PSGP investment justifications 
are currently not marked SSI in accordance with SSI regulations. As a 
result, others who access the information in the investment justifications 
may not be aware that it is SSI and, thus, are at a greater risk of 
inadvertently disclosing such information. Reviewing these justifications 
and marking them immediately as SSI could help the SSI Coordinator 
ensure that GPD personnel are better positioned to safeguard them from 
inadvertent unauthorized disclosure. 

SSI Training: Prior to July 2010, FEMA did not provide specific SSI 
training to its grants management staff, and the FEMA SSI Program 
Manager told us the development of this course stemmed largely from our 
work on the subject. However, based on our observations, the course did 
not include grant-specific examples that could have helped facilitate GPD 
staffs understanding in applying the training concepts regarding SSI to 
their work. 

For instance, GPD officials with whom we spoke were unclear about the 
application of SSI to the Recovery Act PSGP and grant specific examples 
could clarify how to determine if grant information is SSI. For instance, 
according to a TSA SSI official, the information upon which the PSGP 
investment justifications are based — port vulnerability assessments — are 
identified as SSI in the C.F.R. Therefore, the investment justifications may 
contain SSI, but the TSA official told us that the investment justifications 
are not SSI in their entirety because information from the vulnerability 
assessments could be removed from the documents. However, the three 
Recovery Act PSGP officials with responsibility for administering the 
program offered conflicting information with regard to the sensitive nature 
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of PSGP materials. One official reported that FEMA considers all PSGP 
investment justifications to be SSI because the disclosure of activities 
under the PSGP could demonstrate current vulnerabilities and present 
opportunities for potential terrorist threats. Another official told us that he 
disagrees with the determination that the investment justifications are SSI 
because projects funded under the PSGP are visible to the public — for 
instance, if a port is adding lighting, the public can see that the project is 
being undertaken. Moreover, this official noted that information about the 
Recovery Act PSGP projects could easily be obtained from other publicly 
available sources, such as construction permits. A third FEMA official 
believed that certain information in the investment justifications may be 
SSI, but the investment justifications in their entirety are not. 

Moreover, during the training session we observed, numerous GPD staff 
asked for clarification and examples to understand how the SSI 
regulations apply to their day-to-day work. The training did not provide 
this information. The SSI Coordinator acknowledged that the training 
lacked specific examples and told us that GPD staff likely will need 
additional information about the relevance of SSI to FEMA's grant 
management. We have previously reported on a number of factors that 
managers should consider when assessing training. One of these factors 
includes whether the training incorporated a suitable blend of content, 
addressing both the theoretical basis of the material (such as an 
explanation of the context and principles involved) and the practical 
application of the issues (such as agency administrative procedures 
related to the material). 23 The initial SSI training delineated the context of 
SSI and the regulations involved, but it did not incorporate any GPD- 
specific examples to illustrate the appropriate identification and handling 
of SSI by GPD personnel. In addition, it did not include any reference to 
the Recovery Act PSGP or any other Recovery Act program FEMA 
administers. Further, it also did not address how GPD staff should ensure 
transparent reporting on funded activities and expected outcomes while 
also safeguarding SSI. Given that Recovery Act PSGP staff were unclear 
about the application of SSI to their work and attendees at GPD's initial 
SSI training requested examples to illustrate how SSI pertains to their 
work, providing grant-specific examples in its SSI training could help 
FEMA ensure that all GPD staff, including Recovery Act PSGP staff, are 



GAO, Human Capital: A Guide for Assessing Strategic Training and Developing Efforts 
in the Federal Government, GAO-04-546G (Washington: D.C.: March 2004). 
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better positioned to identify, mark, and safeguard SSI within their 
programs. 



FEMA Has Taken 
Initial Steps to 
Develop and 
Document a Review 
Process, but 
Additional Controls 
Could Help Prevent 
the Unauthorized 
Disclosure of SSI 



FEMA has implemented an agencywide standard operating procedure 
governing the safeguarding of SSI within FEMA; however, this is a broad 
policy that does not specifically address aspects related to the Recovery 
Act PSGP recipient report review process. Further, while FEMA GPD staff 
have taken steps to outline their recipient review process, GPD 
management has not approved the procedure and the draft does not 
include key controls for reducing the risk of error. Moreover, when 
conducting its data quality review, FEMA does not have a distinct process 
for comparing recipients' quarterly reports against SSI criteria to ensure 
that sensitive information, similar to that which is described in the 
recipients' investment justifications, is not included in the Recovery Act 
reporting and thus made publicly available. FEMA also lacks a protocol for 
informing recipients when their draft Recovery Act reports contain 
sensitive information and should be safeguarded appropriately. Finally, 
FEMA has not provided instruction to recipients cautioning them up front 
against revealing SSI in their recipient report submissions and guiding 
them on what an appropriate level of detail would be. 



FEMA's Process for 
Reviewing Recovery Act 
PSGP Recipient Reports Is 
Documented but Lacks 
Key Controls and Has Not 
Been Approved 



Two officials within GPD were responsible for performing quality reviews 
on recipients' quarterly submissions to FederalReporting.gov before these 
submissions were posted to Recovery.gov in February 2010, the reporting 
period we reviewed. One official told us that he and his former colleague 
drafted a standard operating procedure after they were charged with 
reviewing recipients' reports in 2009 which described the Recovery Act 
recipient report reviewing process they undertook. This draft standard 
operating procedure included descriptions of the reporting cycle, the 
various elements recipients report, sources of the reporting data, the 
Recovery Act process for reviewing recipient information, and directions 
on how to compile and report the required information. However, the draft 
standard operating procedure does not have managerial approval as of 
September 2010 and lacks a discussion of internal controls, including a 
process to ensure that a secondary review of the comments occurs. 



Internal control standards state that transactions and significant events — 
in this case, FEMA's data quality review of Recovery Act recipients' 
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reports — should be authorized and the authorization should be clearly 
communicated to employees to assure that only valid transactions take 
place. 24 We found that the draft standard operating procedure being used 
was not approved by senior GPD management as of September 2010. A 
former director in GPD with oversight of the individuals conducting 
reviews of recipients' submissions did not approve the standard operating 
procedure before she left the agency and, as of September 2010, it has 
neither been approved nor presented to her replacement for approval. 
Approving a standard operating procedure for Recovery Act quarterly 
recipient report reviews could help FEMA management better ensure that 
the Recovery Act PSGP personnel are conducting reviews in a consistent 
manner. 

In addition, internal control standards state that key duties and 
responsibilities need to be divided or segregated among different people to 
reduce the risk of error or fraud, including separating the responsibilities 
for authorizing, processing and recording, and reviewing transactions. 25 
Moreover, internal control standards call for internal controls and all 
transactions and other significant events to be clearly documented and 
appear in management directives, administrative policies, or operating 
manuals. The draft standard operating procedure FEMA's Recovery Act 
staff developed does not describe procedures for verifying the accuracy of 
reviews, such as the process whereby one reviewer independently verifies 
the other's work, that its author told us had been occurring. Without 
determining what procedures FEMA will use to verify its reviews of 
recipient reports and documenting those procedures, FEMA management 
lacks reasonable assurance that the reviews are being conducted 
consistently and in accordance with management's direction. For instance, 
the GPD official with responsibility for reviewing quarterly Recovery Act 
recipient reports told us that a former director in GPD completed another 
layer of review before FEMA concluded its data quality review. Further, 
although this official reported that four additional GPD or DHS officials 
verified the accuracy of his initial reviews, three of the officials named told 
us that they have not reviewed recipient reports in any manner. The 
remaining official told us that she reviews the numerical fields solely for 
data accuracy and does not review the narrative fields, such as the award 
description where potential SSI may appear. 



24 GAO/AIMD-00.21.3.1. 
25 GAO/AIMD-00.21.3.1. 
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FEMA's standard operating procedure does not include a method for its 
Recovery Act PSGP recipient report reviewers to safeguard SSI as required 
of covered persons in SSI regulations. For example, none of the FEMA 
officials with whom we spoke reported that they — or anyone else — was 
responsible for incorporating a sensitivity review into their quarterly data 
quality assessment during which they could compare recipients' 
submissions to FederalReporting.gov against SSI standards to determine if 
the information should be prevented from public disclosure on 
Recovery.gov. 

A Recovery Act PSGP official with whom we spoke reported that it is 
Recovery Act PSGP recipients' responsibility to ensure that they do not 
report SSI in their quarterly reports because it is the recipients who 
initially report the information, not FEMA. However, since FEMA treats 
the investment justifications as SSI, and much of the information 
requested in the reporting fields on FederalReporting.gov is similar in 
nature, conducting such a review would help FEMA ensure that nothing 
from the investment justifications was inadvertently copied into the 
FederalReporting.gov reporting fields and ultimately published on 
Recovery.gov. Further, pertinent SSI regulations require that a covered 
person must take reasonable steps to safeguard SSI in that person's 
possession or control from unauthorized disclosure, 26 and state that 
violations of the SSI regulations, such as unauthorized disclosure of SSI, is 
grounds for, among other things, a civil penalty and other enforcement or 
corrective action by DHS. 27 While recipients initially report the 
information, FEMA accesses this information during its data quality review 
and, therefore, under SSI regulations, Recovery Act PSGP personnel are 
considered to be covered persons and have the accompanying 
responsibility to safeguard any SSI in the recipient reports. 

A TSA security official who reviewed our sample of 61 PSGP recipient 
reports available on Recovery.gov for the reporting period with data 
available as of February 2010, informed us that none contained SSI; 
however, FEMA should consider a cautious approach when reviewing this 
material in advance and inform recipients if their draft submissions 



'49 C.F.R. § 1520.9(a)(1). 
'49C.F.R. §1520.17. 



FEMA Lacks a Procedure 
for Comparing Recipient 
Reports Against SSI 
Criteria 
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contain SSI. 28 While our review showed that none of the Recovery Act 
PSGP recipient reports for the single reporting period in our review 
contained SSI, developing a management-approved policy for reviewing 
Recovery Act PSGP recipient reports that includes steps to compare 
submissions against SSI criteria and properly safeguard it could reduce the 
risk that SSI is made publicly available on Recovery.gov in subsequent 
reporting periods. Further, such a policy could help better position FEMA 
to ensure that officials responsible for Recovery Act recipient reviews take 
reasonable steps to safeguard SSI from unauthorized disclosure, as 
required by SSI regulations. 



FEMA Lacks a Protocol for 
Informing Recipients 
When Their Draft 
Recovery Act Reports 
Contain SSI and Should Be 
Safeguarded 



According to the GPD official responsible for reviewing recipients' 
submissions and performing the data quality review on 
FederalReporting.gov, when the Recovery Act quarterly reporting began, 
the issue of data sensitivity was not discussed in any manner. However, 
the official noted that the GPD Director to whom he reported at the time 
told him to use his judgment and when he thought recipient submissions 
included "too much detail" in the narrative-based fields, such as the one 
for "award description," he should notify recipients. Specifically, the 
director instructed him to use boilerplate language when commenting 
back to the recipients, with the following notification statement: "Due to 
the public nature of this report, please adjust the Award Description to: 
American Recovery and Reinvestment Act Port Security Grant Program 
(ARRA PSGP)." 29 This official stated that he did not develop standard 
criteria to determine what "too much detail" meant, nor does he compare 
the information contained in these quarterly reports against SSI criteria 
while conducting his data quality review. Instead, he explained that he 
used his best judgment and if the details in the narrative field appeared 
similar to the information the recipient reported in its investment 
justification, then he sent the recipient the standard notification statement. 



This notification statement did not communicate the rationale for 
change — that the specific information about their use of award funds or 



28 TSA's SSI Branch is the focal point governmentwide for making assessments to determine 
if information is SSI. 

29 While federal agencies are required under OMB guidance to perform data quality reviews 
of recipient data before they are posted on Recovery.gov and notify recipients of the need 
to make appropriate and timely changes to erroneous reports, recipients are ultimately 
responsible for data quality checks and final submission of the data. 
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expected outcomes could disclose SSI, which could document 
vulnerabilities or jeopardize port security — or a reason for recipients to 
take action, even though SSI regulations require covered persons to take 
reasonable steps to safeguard SSI from unauthorized disclosure. 
Moreover, internal control standards call for managers to ensure that there 
are adequate means of communicating with, and obtaining information 
from, external stakeholders that may have a significant impact on the 
agency achieving its goals. Most importantly, FEMA's notification 
statement does not inform recipients of their responsibility as covered 
persons to safeguard SSI. Including in its standard operating procedures a 
process for notifying recipients when their reports include SSI and taking 
steps to inform recipients about their responsibilities as covered persons 
could better position FEMA to help prevent the inadvertent release into 
the public domain of information that could potentially compromise 
national security. 



FEMA Has Not Provided 
Instruction to Recipients 
on Safeguarding SSI While 
Reporting Project Details 
in a Transparent Manner 
for Posting on 
Recovery.gov 



During the Recovery Act quarterly reporting process, under federal SSI 
regulations, both recipients — who submit the initial information — and 
FEMA personnel — who review the information — are considered to be 
covered persons with a duty to safeguard SSI. In addition, OMB's Recovery 
Act reporting guidance states that recipients' narrative information must 
be sufficiently clear to facilitate understanding by the general public of 
how Recovery Act funds are being used. 

In reviewing the narrative descriptions provided on Recovery.gov for the 
61 recipients in our sample, we found wide variation in the level of detail 
provided regarding the awards' purposes, scope and nature of activities, 
locations, costs, outcomes, and status of work. In a few instances, the 
reports had clear and complete information across these areas. For 
instance, the description of an award for a Missouri port stated that it will 
be used for surveillance cameras that will allow the police department to 
receive information about potential attacks using improvised explosive 
devices and, as a result, increase the likelihood of preemptive action. In 
the majority of cases, however, the reports provided little or none of the 
information on what funds are being spent on and what outcomes are 
expected. For instance, an award description for a port in Washington did 
not provide the location where the award activities are being conducted, 
what the award would fund, or the outcomes expected as a result of the 
award. 



According to FEMA, the sensitive nature of port security information 
affects the transparency of PSGP recipient reporting. However FEMA's 
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GPD has not provided technical assistance or program-specific guidance 
to Recovery Act PSGP recipients on how to report on funded activities and 
expected outcomes in a transparent manner while also safeguarding SSI. 
For example, all of the PSGP recipients with whom we spoke reported 
that FEMA had not instructed them on how to consider transparency 
needs and safeguard SSI in Recovery Act reporting. 30 

According to a Coast Guard Recovery Act PSGP official, GPD's SSI 
Coordinator, and three of the five Recovery Act PSGP recipients with 
whom we spoke, Recovery Act PSGP recipients are not always clear 
regarding what information they should report and what information they 
should protect. For instance, GPD's SSI Coordinator told us that the 
recipients may be confused about what they should report in their 
quarterly Recovery Act reports because OMB guidance stresses 
transparency even though SSI regulations stress safeguards. Therefore, the 
SSI Coordinator stated that recipients may be unsure how to comply with 
both because of their seemingly conflicting messages. Moreover, the Coast 
Guard official and four of the five Recovery Act PSGP recipients with 
whom we spoke told us that guidance from FEMA on what recipients 
should and should not report for ultimate posting on Recovery.gov would 
be helpful to recipients and assist them in better understanding how to 
adhere to the requirements in both OMB's existing guidance on Recovery 
Act recipient reporting and those found in the SSI-related regulations. 

Recovery Act PSGP officials with whom we spoke cited two reasons why 
FEMA has not issued instructions to recipients on what information to 
include in the narrative fields when completing their quarterly reports. 
First, the officials reported to us that FEMA was concerned that issuing 
instructions to recipients on what to report in the narrative fields may 
conflict with OMB's emphasis on transparency in Recovery Act reporting. 
When we raised this issue with OMB, staff there told us that OMB allows 
agencies discretion with regard to balancing transparency with national 
security concerns and it cannot provide guidance that addresses the 
details of each Recovery Act program. OMB staff noted that agencies 
should be aware of what program information may be sensitive and 
address these concerns directly with recipients. Further, according to 
OMB officials, agencies overseeing Recovery Act programs have discretion 
to provide their recipients with technical assistance or supplemental 
materials to aid recipients in reporting. 



One of the six PSPG recipients in our sample did not respond to our inquiries. 
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In our May 2010 report, we reported that some agencies — unlike FEMA — 
supplemented OMB's high-level guidance with program-specific technical 
assistance on how to meet OMB's reporting requirements, including 
specific instructions on what to write in the narrative fields. 31 In addition, 
OMB's March 2010 Memorandum 10-14 permits federal agencies 
overseeing Recovery Act reporting to provide program-specific guidance 
on Recovery Act recipient reporting to recipients as long as it does not 
conflict with OMB guidance and the agency obtains OMB approval. 32 Two 
other agencies — the departments of Transportation and Education — have 
obtained OMB approval to issue such program-specific guidance to assist 
recipients with Recovery Act reporting. As we reported in May 2010, OMB 
officials told us that OMB created generic reporting guidance because they 
expected the guidance to be a baseline, with agencies providing 
supplemental guidance that was more specific to unique program 
characteristics and situations than OMB's one-size-fits-all guidance was 
designed to address. We also reported that, according to OMB, the 
agencies would be better sources of program specific individualized 
guidance, tailored to the awards made under their programs. 33 

Second, FEMA officials said that even if they were to issue instructions to 
recipients on what to report in the narrative fields that ultimately will be 
posted on Recovery.gov, some recipients might not follow them and 
FEMA cannot require them to do so. However, given that under federal SSI 
regulations Recovery Act PSGP recipients are considered to be covered 
persons, they have a duty under SSI regulations to safeguard SSI. 

Taking appropriate measures to provide instruction — which could be in 
the form of technical assistance, supplemental materials, or OMB- 
approved guidance — to Recovery Act PSGP recipients has several 
benefits. Namely, by describing the information to include in narrative 
fields that ultimately will be posted on Recovery.gov and informing 
recipients of their duty to protect SSI as covered persons, FEMA could 
help ensure that recipients consider both the need to report on funded 
activities and expected outcomes in a transparent manner while 



31 GAO-10-581. 

32 Office of Management and Budget, Memorandum for the Heads of Executive 
Departments and Agencies: Updated Guidance on the American Recovery and 
Reinvestment Act, M-10-14 (Washington, D.C.: March 2010). 

33 GAO-10-581. 
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safeguarding SSI when reporting information on issues that ultimately will 
be posted on Recovery.gov. 

With regard to additional controls to prevent unauthorized disclosure of 
Recovery Act PSGP SSI, FEMA officials reported that their ability to 
implement such controls — including their assessments of information 
recipients submit quarterly to FederalReporting.gov — is constrained due 
to the small number of PSGP staff on board, as well as significant staff 
turnover. According to FEMA data, as of July 2010, 10 FEMA employees 
were administering both the Recovery Act PSGP and regular PSGP, and 
GPD's staff turnover rates were 4 percent and 8 percent in the 2nd quarter 
and 3rd quarter of 2010, respectively. Further, according to FEMA officials, 
OMB is primarily concerned with data quality surrounding the numerical 
reporting fields, such as the award amount, and is less concerned with the 
content of the narrative reporting fields, such as the award description. In 
addition, DHS officials charged with overall Recovery Act implementation 
confirmed that their review of DHS-wide recipient information focuses on 
the nonnarrative fields — such as jobs created, recipient addresses, or 
recipient Congressional district. As a result, the FEMA official charged 
with conducting the data quality reviews told us his priorities have been 
on numbers rather than narrative. OMB staff with whom we spoke told us 
that agencies are better positioned to review narrative information 
because they have knowledge of the programs and OMB staff explained 
that agencies are expected to use their judgment to help ensure that 
recipients do not disclose SSI in the information that ultimately will be 
posted on Recovery.gov. 



Reporting on the funded activities and expected outcomes of Recovery 
Act funds in a transparent manner is vital to ensuring public trust. As such, 
OMB has made transparency a priority in the oversight of Recovery Act 
spending and instructed agencies that when reviewing recipients' quarterly 
reports they should aim to ensure transparency while also safeguarding 
information that is crucial to national security. 

FEMA's GPD has taken some recent steps to establish polices and 
procedures to ensure that it appropriately identifies, handles, and 
safeguards any Recovery Act PSGP information that is SSI. However, 
FEMA could do more to ensure that FEMA officials are helping to prevent 
the disclosure of information that ultimately will be posted on 
Recovery.gov and that is otherwise considered SSI. Specifically, 
determining whether Recovery Act PSGP documents, such as investment 
justifications, that contain SSI are appropriately marked as such and 
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taking steps to ensure Recovery Act PSGP officials receive FEMA-specific 
SSI training could help better position FEMA to ensure that its Recovery 
Act PSGP staff protect SSI from unauthorized disclosure. Further, having 
an approved policy for reviewing Recovery Act PSGP recipient reports 
could help ensure that initial reviews by different FEMA GPD staff will be 
conducted in a consistent manner to reduce the risk of error. Moreover, 
including in its process a review to identify recipient-reported information 
as SSI, and taking appropriate measures to improve recipients' 
understanding of what information to include in the narrative fields that 
ultimately will be posted on Recovery.gov and what information to 
safeguard as SSI could better position FEMA to help prevent the 
disclosure of sensitive information on Recovery.gov. 



Recommendations for ^° ennance * ne identification, management, and protection of SSI within 

FEMA in its administration of the Recovery Act PSGP, we recommend that 
Executive Action the FEMA Administrator take the following four actions: 

• Direct GPD's SSI Coordinator to review Recovery Act PSGP investment 
justifications in FEMA's possession and ensure that they are appropriately 
marked as SSI. 

• Direct GPD's SSI Coordinator, when developing and providing further SSI 
training to GPD staff, to incorporate FEMA-specific examples of the 
application and use of SSI in the training. 

• Direct FEMA's Assistant Administrator for GPD to develop, document, and 
approve a policy that reflects management's intent to implement internal 
controls governing FEMA's review process for Recovery Act recipient 
reports that include appropriate internal controls and a procedure both for 
comparing recipient reports against SSI criteria and notifying recipients 
when their submissions contain SSI. 

• Direct FEMA's Assistant Administrator for GPD to take appropriate 
measures — such as issuing technical assistance, supplemental materials, 
or OMB-approved guidance — to inform Recovery Act PSGP recipients of 
what information they should include in the narrative fields that ultimately 
will be posted on Recovery.gov to foster a basic understanding of funded 
activities and expected outcomes in a transparent manner while ensuring 
that SSI is not disclosed on Recovery.gov. 



Agency Comments 
and Our Evaluation 



We provided a draft of this report to FEMA for review and comment. 
FEMA provided written comments on the draft report, which are 
reproduced in full in appendix I. FEMA concurred with all four of our 
recommendations, and reported that it plans to take steps to implement 
them. Specifically, FEMA plans to ensure that all Recovery Act PSGP 
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grant documents are reviewed and appropriately marked as SSI, which 
would address our first recommendation. Further, FEMA intends to 
enhance its current SSI training to ensure that it is relevant to FEMA 
personnel. If implemented, such training would address our second 
recommendation. In addition, FEMA plans to take steps to incorporate 
appropriate internal controls into its written Recovery Act PSGP policies 
to help ensure consistency in its review of Recovery Act PSGP recipient 
reports. Implementing such controls will address our third 
recommendation. FEMA also agreed with our final recommendation to 
take appropriate measures to inform Recovery Act PSGP recipients of 
what information they should include in their Recovery Act reports. 
However, FEMA did not describe specific actions it planned to take to 
address this recommendation. Nevertheless, FEMA noted that, while no 
SSI was released to the public for the reporting period which we reviewed, 
implementing this recommendation, as well as our others, will enhance 
ongoing review of Recovery Act PSGP recipient reports and better enable 
FEMA to protect SSI from disclosure in the future. FEMA also provided 
technical comments, which we incorporated as appropriate. 



As agreed with your office, unless you publicly announce the contents of 
this report earlier, we plan no further distribution for 30 days from the 
report date. At that time, we will send copies of this report to the Secretary 
of Homeland Security and interested congressional committees. In 
addition, this report will be available at no charge on the GAO Web site at 
http://www.gao.gov. 

Should you or your staff have any questions concerning this report, please 
contact David Maurer at 202-512-9627 or by e-mail at maurerd@gao.gov. 
Contact points from our Offices of Congressional Relations and Public 
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Affairs may be found on the last page of this report. Key contributors to 
this report are listed in appendix H 



Sincerely yours, 




David C. Maurer 

Director, Homeland Security and Justice Issues 
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Appendix I: Comments from the Department 
of Homeland Security 



VS. Department of Homeland Security 

Washington, DC 20528 

Homeland 
'^gf' Security 

October 12, 2010 



David Maurer 

Director, Homeland Security and Justice 
441 G Street, NW 

U.S. Government Accountability Office 
Washington, DC 20548 

Dear Mr. Maurer: 

RE: Federal Emergency Management Agency's (FEMA) Review of GAO Draft Report 10- 
979, "RECOVERY ACT: FEMA Could Take Steps to Protect Sensitive Port Security 
Grant Details and Improve Recipient Reporting Instructions. "(440889) 

Thank you for the opportunity to review and comment on the Government Accountability 
Office (GAO) draft report entitled, "RECOVERY ACT: FEMA Could Take Steps to Protect 
Sensitive Port Security Grant Details and Improve Recipient Reporting Instructions." 

This report included four recommendations. FEMA concurs with the four recommendations 
addressed to DHS. FEMA appreciates the opportunity to highlight current efforts that will not 
only comply with the recommendations, but will also improve our overall operational 
effectiveness. The recommendations and FEMA's corrective actions to address the 
recommendations are described below. 

Recommendation 1: Direct GPD's SSI Coordinator to review Recovery Act PSGP 
investment justifications in FEMA's possession and ensure that they are appropriately marked 
as SSI. 

Response: Concur. FEMA will ensure that all grants are reviewed and have appropriate 
markings. 

Recommendation 2: Direct GPD's SSI Coordinator, when developing and providing further 
SSI training to GPD staff, to incorporate FEMA-specific examples of the application and use 
of SSI in the training. 

Response: Concur. FEMA believes that training goals are better fulfilled by providing 
relevance to those impacted by or those who impact the outcomes or actions of the subject of 
the training, and is moving beyond the standard training platform currently in place. 

Recommendation 3: Direct FEMA's Assistant Administrator for GPD to develop, 
document, and approve a policy that reflects management's intent to implement internal 
controls governing FEMA's review process for Recovery Act recipient reports that includes 

1 
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of Homeland Security 



appropriate internal controls and procedures both for comparing recipient reports against SSI 
criteria and notifying recipients when their submissions contain SSI. 

Response: Concur. SSI is a matter that is broader than Recovery Act awards for FEMA. It 
was an important consideration before Recovery Act funds and will remain beyond this 
segment of funds. The FEMA Assistant Administrator for GPD has documented policies that 
reflect management's intentions and assurances relative to internal controls governing many 
of GPD's management and operational activities. The Recovery Act and the transparency 
requirements through new reporting portals introduced a new direction for both the Agency 
and the grantees. In the wake of those new directions, we acknowledge the need to ensure 
that internal controls are applied consistently in FEMA's review process for Recovery Act 
recipient reports as well as in our grants management generally. GPD will take steps to ensure 
that internal controls related to ARRA are added to our existing policies. 

Recovery Act recipients self-report on Recovery.gov. It was understood by the agency as well 
as the grantee community that the intent of the Recovery Act reporting was for information to 
be posted on a public website. Staff reviewed the contents of the material and generally found 
that the grantees were reporting appropriate information. It was the lack of detail that 
initiated the inquiry into insufficient transparency. In the end, the report found no incidence of 
SSI information being publicly reported. We did find very limited cases in which grantees 
were overzealous in complying with the intentions of transparency. Staff asked if they might 
revise their submission in consideration of SSI. 

Recommendation 4: Direct FEMA's Assistant Administrator for GPD to take appropriate 
measures - such as issuing technical assistance, supplemental materials, or OMB-approved 
guidance - to inform Recovery Act PSGP recipients of what information they should include 
in Recovery.gov's narrative fields to foster a basic understanding of funded activities and 
expected outcomes in a transparent manner while ensuring that SSI is not disclosed on 
Recovery.gov. 

Response: Concur. It is important to note, as mentioned in the report, throughout the 
implementation of the Recovery Act transparency process that FEMA, through timely and 
diligent attention, has NOT permitted the release to the public any SSI with respect to the 
reviewed program. The ongoing reporting process will be enhanced through the 
implementation of the recommendations in this report. FEMA is certain, the processes and 
training currently in place did, in fact, ensure that NO SSI was released to the public on 
Federal Reporting.gov. 

Thank you for the opportunity to comment on this Draft Report. We look forward to working 
with you on future Homeland Security issues. 



Sincerely, 

Jerald E. Levine 
Director 

Departmental Audit Liaison Office 
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GAO's Mission 



Obtaining Copies of 
GAO Reports and 
Testimony 



The Government Accountability Office, the audit, evaluation, and 
investigative arm of Congress, exists to support Congress in meeting its 
constitutional responsibilities and to help improve the performance and 
accountability of the federal government for the American people. GAO 
examines the use of public funds; evaluates federal programs and policies; 
and provides analyses, recommendations, and other assistance to help 
Congress make informed oversight, policy, and funding decisions. GAO's 
commitment to good government is reflected in its core values of 
accountability, integrity, and reliability. 
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is through GAO's Web site (www.gao.gov). Each weekday afternoon, GAO 
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